Mobile Threat Monday: App For Doctors Sends Unencrypted Data

Even before the Affordable Care Act, Internet technology and medicine have had an uneasy relationship. Most agree that things like digital patient records could improve how care is administered, but issues of security and privacy (and enormous up-front costs) have kept progress modest. This week, we look at one Android app that aims to help doctors, but ends up revealing personal information in the process.

Calculate by QxMD Described by developers as a "next-generation medical calculator and decision support tool," Calculate has already proved popular with between 100,000 and 500,000 downloads from Google Play. It includes several tools designed to help doctors calculate basic information like the due date for a pregnancy, guiding treatments for burns, and helping to identify medical conditions.

But Appthority's CTO Kevin Watkins writes that app fails to live up to the promises made by its own privacy policy. Specifically, the app sends private data over the network unencrypted and in plaintext. "This action directly contradicts what is stated in the app's privacy policy: that all data is to be encrypted when transmitted," writes Watkins.

Not Always Encrypted For example, the privacy policy for QxMD says that they use SSL to encrypt and transmit all information. "We found that the registration and setup sends the doctor information, such as name, e-mail, and location over the network in plaintext," wrote Watkins, noting that the app also sent zip code and city location information.

While the app acknowledges that it collects some information, Appthority found that it collects every screen and sends that information over the network. This information is encrypted some of the time, but not all of the time.

Appthority draws a disconcerting conclusion from their review of the app. "The fact that the registration information is sent over plaintext, combined with that the app activity and inputs are sent over plaintext, it would be possible to combine that information on the network to determine the doctor, hospital, and patient diagnostics data," writes Watkins.

But this is not a patient record application, and in fact the application does directly connect to a patient's individual identity. Watkins writes, "This app doesn't include inputs for patient names, or link to such a patient database, so patient privacy information isn't being exposed."

Why This Matters What's scary isn't that your personal medical information is being thrown around (although, it is just not with your name attached) but that the performance of the app appears to be at odds with the promises made by developers in their privacy policy.

This goes further than the challenges of digitizing medicine, because it demonstrates that the trust established between developers and users is sometimes illusory. "It's important to note that while having a privacy policy is necessary—if not required—for most apps, app users and enterprises should be aware that this doesn't mean the app follows their own privacy policies," writes Watkins. "And, just because a medical mobile app may state they follow the regulatory standards around privacy, doesn't mean that they do."

UPDATE 11/18: A representative from QxMD has informed us that the issues reported by Appthority have been resolved as of November 4. SecurityWatch has not independently verified the changes.

A representative of QxMD told SecurityWatch: "We [take] privacy very seriously and certainly regret that any user data was transmitted in an unencrypted fashion. It should be made clear that no patient specific identifiers were ever collected or transmitted. In fact, Calculate is meant to be an educational tool to support clinical decisions at the point of care and is not integrated with patient databases. As such, no patient data was ever at risk."

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service